I want to be able to download user uploaded avatars using personal access tokens

Problem Definition

With Jira 8.14, personal access tokens can now be created as a means to access the REST API in Jira Server/Data Center. While these tokens are a useful authorization alternative to access the REST API, one limitation is that user-uploaded avatars are not accessible via these tokens.

Currently:

• The REST API endpoint at /rest/api/2/user/avatars returns links to custom avatars:

      "custom": [
          {
              "id": "1010",
              "owner": "andrew",
              "isSystemAvatar": false,
              "isSelected": false,
              "isDeletable": true,
              "urls": {
                  "16x16": "http://localhost:8090/jira/secure/useravatar?size=xsmall&avatarId=10080",
                  "24x24": "http://localhost:8090/jira/secure/useravatar?size=small&avatarId=10080",
                  "32x32": "http://localhost:8090/jira/secure/useravatar?size=medium&avatarId=10080",
                  "48x48": "http://localhost:8090/jira/secure/useravatar?avatarId=10080"
              },
              "selected": false
          }
      ]
  

• However, if a personal access token is passed as authentication to those links, the request returns a 403. Using curl, we can see that the user is being redirected to a login page.

Suggested Solution

• Create a REST API endpoint that can provide the binary data stream of custom avatars, enabling REST API users to download avatars using a personal access token, or
• Allow requests including personal access tokens to access data at /secure/useravatar, so that these requests can be made successfully without redirecting to a login page.

Why this is important

This currently works with curl requests using basic authentication. Also, this appears to be possible in Jira Cloud using API tokens, so this is slightly out of parity with Cloud from a product standpoint.